Ignite Realtime Openfire vulnerable to Server Side Request Forgery
Critical severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Feb 2, 2023
Package
Affected versions
< 4.5.0-beta
Patched versions
4.5.0-beta
Description
Published by the National Vulnerability Database
Oct 24, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Nov 22, 2022
Last updated
Feb 2, 2023
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. The issue is fixed in version 4.5.0-beta.
References